[00:00.000 --> 00:04.120]  supporting the Red Team Village. We're very honored to have you here.
[00:04.120 --> 00:06.340]  And with that said, take it away.
[00:06.680 --> 00:10.400]  Well, hello everybody, and good morning if you're just waking up.
[00:10.400 --> 00:14.260]  I am so happy to be giving this presentation at the Red Team Village
[00:14.260 --> 00:16.800]  at DEF CON Safe Mode this year.
[00:16.800 --> 00:23.100]  Coming to you live from my tiny little Amsterdam house.
[00:23.220 --> 00:27.780]  And hopefully I can bring some energy and wake some people up.
[00:27.780 --> 00:29.860]  So this is called Pwn the World.
[00:30.360 --> 00:33.440]  So if you don't know much about me, my name is Chris Kubeka.
[00:33.440 --> 00:38.720]  And I am the CEO of two companies, one in the UK and one in the Netherlands.
[00:38.720 --> 00:43.360]  It deals with critical infrastructure protection and high-level incident response.
[00:43.360 --> 00:47.980]  I'm also a Distinguished Non-Resident Fellow at the Middle East Institute for the Cyber Program,
[00:48.300 --> 00:50.780]  dealing with a lot of these issues in the Middle East.
[00:50.960 --> 00:55.140]  My areas of main concentration are critical infrastructure,
[00:55.140 --> 01:00.380]  lots of different ICS, industrial IoT, and especially cyber warfare.
[01:00.380 --> 01:04.400]  I've been involved with several high-level cases of cyber warfare in the past,
[01:04.400 --> 01:06.320]  and continue to do so.
[01:06.340 --> 01:10.040]  Previous to this, I headed the Information Protection Group
[01:10.040 --> 01:14.360]  and International Intelligence Group for the Aramco family.
[01:14.760 --> 01:18.700]  And not that many years ago, I won't date myself,
[01:18.700 --> 01:24.940]  I was an air crew member, and also with Space Command, dealing with command and control systems.
[01:25.440 --> 01:29.940]  So, let's briefly talk about what a control system is.
[01:29.940 --> 01:32.580]  Because this is my favorite part of technology,
[01:32.580 --> 01:38.300]  where you get to actually move things, or set things in motion,
[01:38.300 --> 01:46.040]  to where once you program something, it then has a set series of responses that it does.
[01:46.040 --> 01:56.380]  We see this everywhere, inside your home, inside power plants, inside aircraft, inside space assets,
[01:56.380 --> 02:02.500]  all sorts of industrial things, like the manufacture of masks,
[02:02.500 --> 02:08.040]  and even your coffee maker is, in and of itself, a control system.
[02:08.040 --> 02:11.000]  And hopefully everybody's had loads of coffee today.
[02:11.000 --> 02:13.900]  Believe it or not, I haven't. That's okay.
[02:13.900 --> 02:17.300]  So, some of the things that we have to remember is this.
[02:17.880 --> 02:24.960]  The previous speaker was talking about Zoom, and we're actually coming to you live over Zoom and Twitch,
[02:24.960 --> 02:30.720]  is that when we're talking about technology, we have to think of the fact that
[02:31.300 --> 02:37.780]  a lot of technology is pushed out there as quickly as possible to gain some sort of edge in the market.
[02:37.780 --> 02:42.480]  So, it's quite common to have what I call profits over vulnerabilities.
[02:42.480 --> 02:50.220]  And when we're dealing with control technology, there's also a lot of legacy devices.
[02:50.440 --> 02:58.960]  Good for instance is the BART public transport system inside and outside part of San Francisco
[02:59.480 --> 03:04.960]  has such old legacy equipment, they have to look on eBay to get any sort of replacements.
[03:04.960 --> 03:11.140]  And I've dealt with other public transport companies where they've got signaling systems that are almost 50 years old.
[03:11.140 --> 03:16.560]  Since they can no longer find these systems, they actually have to fabricate them.
[03:16.560 --> 03:23.300]  And they've been trying to update them and turn them into IoT systems, which has been extremely challenging.
[03:23.600 --> 03:30.500]  When you build a power plant, you expect that power plant, after you've spent millions, hundreds of millions sometimes,
[03:30.500 --> 03:38.900]  or if you're talking about nuclear power, billions, you expect that type of hardware and the software running it to last for quite some time.
[03:38.900 --> 03:46.380]  Of course, there's a mismatch because when we start integrating, as we have already in the past,
[03:46.380 --> 03:53.040]  say Windows systems into hardware that's meant to last 10, 20, 30 years sometimes,
[03:53.040 --> 04:01.240]  you obviously get this mismatch and vulnerabilities are introduced into this type of hardware.
[04:02.280 --> 04:08.880]  Now, the longer something is up and running, the more things end up getting plugged into it.
[04:08.880 --> 04:16.260]  And many companies, governments, etc. don't know that they've got orphan servers that are hanging out there,
[04:16.260 --> 04:20.120]  that they had some sort of connection that one person knew about.
[04:20.120 --> 04:25.760]  It could be anything from something stuck in a closet to run reports.
[04:25.760 --> 04:32.360]  There's one case where they only found out at one organization about this because they were renovating the office building
[04:32.360 --> 04:42.200]  and they found in the wall a couple of cables, a power cable and a network cable, broke the wall down and in there was a reporting server.
[04:42.200 --> 04:44.540]  So these types of things happen.
[04:44.760 --> 04:54.400]  But at the same time, we also have to remember that our modern world is most definitely driven on technology and digitization.
[04:54.460 --> 05:01.000]  And that can also come with a bit of a cost when we discuss geopolitics.
[05:01.000 --> 05:05.920]  Not everyone is friends and sometimes your friends are actually frenemies.
[05:05.940 --> 05:16.700]  And we have to realize that we have become as dependent on ICT systems as we have on oxygen at this point in time.
[05:16.700 --> 05:22.080]  Funny enough, oxygen is produced in a controlled system environment.
[05:22.140 --> 05:29.480]  Now, to make matters even worse, lots of different companies, organizations, etc. deal with third parties.
[05:29.480 --> 05:34.160]  You can't manufacture a program and do everything yourself in a closed bubble.
[05:34.280 --> 05:43.940]  And sometimes that means that there could be, like in the Target situation, an HVAC company who had access to Target.
[05:43.940 --> 05:47.420]  And unfortunately, they were used as a conduit for attack.
[05:47.800 --> 05:55.820]  So we have to think about these things when we think about some of the risks and security challenges with control systems and technology.
[05:55.820 --> 05:59.380]  So, I deal a lot with critical infrastructure.
[05:59.380 --> 06:03.780]  And that's the type of stuff that really keeps the modern world going.
[06:03.780 --> 06:09.660]  But interestingly enough, there's no international consensus as to what critical infrastructure is.
[06:09.660 --> 06:14.180]  I was on a recent call doing a presentation for the United Nations.
[06:14.220 --> 06:21.780]  And I brought up with one of the presenters that, because I live in the Netherlands, we're the second largest food exporter in the world.
[06:21.780 --> 06:28.340]  It's a tiny country, 17 million people, but we produce and export number two in the world.
[06:28.340 --> 06:36.140]  And the reason for that is our farmers have drones and robots, and it's highly sophisticated.
[06:36.140 --> 06:42.100]  So we've got a lot of industrial IoT systems and ICS systems that are mixed in.
[06:42.540 --> 06:50.420]  And I brought up the fact that for the Netherlands, for example, that agriculture should be considered part of critical infrastructure.
[06:50.420 --> 06:54.200]  Of course, this varies from country to country, region to region.
[06:54.280 --> 07:07.460]  I would not expect Mongolia to think of port security as critical infrastructure, but I would here in the Netherlands or the United States or any place that has a lot of different ports that they depend on.
[07:07.740 --> 07:18.460]  So, one of the reasons why some of this stuff is so insecure is the companies who make the hardware and or software are not in security.
[07:18.460 --> 07:24.940]  They're in it to make things interoperable so that they work together and produce what they're supposed to do.
[07:24.980 --> 07:37.900]  And another very interesting factor is when you're dealing with control systems, we've seen this triad, the triangle, excuse me, of CIA, where confidentiality is queen.
[07:37.900 --> 07:42.260]  However, in the industrial world, availability is.
[07:42.260 --> 07:52.360]  So, if you have to pile on things like encryption or lots of authentication, you can cause a latency to encrypt, decrypt, encrypt, decrypt, etc.
[07:52.520 --> 07:59.500]  And from the moment you press a button or send what's called a sec command, you want that to go through the system as quickly as possible.
[07:59.500 --> 08:08.480]  And unfortunately, that means that security is actually the bottom part. It's availability, integrity, and confidentiality.
[08:08.480 --> 08:12.740]  That's the order that it goes with critical infrastructure and control systems.
[08:12.740 --> 08:21.640]  Now, another major factor is that the vast majority of critical infrastructure and control systems are privately owned.
[08:21.640 --> 08:32.780]  So, there are limitations to what a government can regulate, legislate, and dictate to a company because there are going to be costs associated with securing this infrastructure.
[08:32.980 --> 08:44.520]  And we have to ask the question, how much does water cost right now versus less risky water infrastructure?
[08:44.520 --> 08:56.320]  Or are hospitals going to have to choose between tightening up and securing their ICT systems, which are included in a lot of medical IoT devices and built-in control systems?
[08:56.320 --> 09:02.220]  Or are they going to buy a ventilator or an MRI machine, etc.?
[09:02.220 --> 09:11.160]  So, there is an absolute cost associated with this. But at the same time, we're absolutely dependent on this stuff.
[09:11.880 --> 09:21.140]  So, the other day, for this presentation, what I did was I used Census to do a massive scan across the internet using their ZMap project.
[09:21.140 --> 09:35.360]  And I was trying to concentrate on things that I could immediately find that were related to industrial IoT, control systems, and things of that nature.
[09:35.380 --> 09:41.140]  And the problem is, I found a heck of a lot. And this was just the top ten things.
[09:41.140 --> 09:54.080]  As you'll notice, there's a lot of SCADA systems, which are Supervisory Control and Data Acquisition, which connect a lot of the backbone, so to speak, of ICS systems, built-in control systems.
[09:54.080 --> 10:03.420]  These can vary from security stations. A lot of police departments use these, especially in the United States and China.
[10:04.080 --> 10:12.680]  Also, HVAC, my personal favorite protocol for control systems, which is Modbus. I'll tell you why in a moment.
[10:12.760 --> 10:24.260]  So, there's a lot of these things that are exposed on the internet right now. And when I say, please hack me, the reason being is, even if you've got a modern system, yay!
[10:24.260 --> 10:39.480]  And when it comes to the point of, hey, we have a patch, we need to update this, a lot of organizations won't do that very quickly, because they're afraid that it will lose that interoperability function.
[10:39.560 --> 10:47.880]  And you don't want to do that in, I don't know, a water processing plant, and then knock out everybody's water for a short time.
[10:48.840 --> 11:01.680]  So, one of the reasons why I like Modbus is, when it was created, it was created a long time ago, there is no real, really, any authentication or security.
[11:02.380 --> 11:16.560]  And here, this protocol, because it was made open source, was adopted like crazy. As quickly adopted as Zoom was during the pandemic, basically, because it didn't cost any money to do so.
[11:16.560 --> 11:23.620]  And it communicates between different types of equipment. It's got to be on the same network, though.
[11:23.780 --> 11:31.400]  It will also transmit all sorts of data between a SCADA system and what's called a remote access terminal unit.
[11:32.020 --> 11:37.580]  One of my other favorite features is the fact that it uses ladder logic, very much like a firewall.
[11:37.580 --> 12:04.440]  And if any of you have seen a firewall with 2,000 plus different rules, you'll know that if part of that ladder logic is not done correctly, then your security settings in that firewall, just like the ladder logic, will actually moot and make the oncoming settings absolutely useless.
[12:04.440 --> 12:13.140]  And it also has a slave to master architecture. So it's kind of old school.
[12:13.140 --> 12:20.620]  Some of the things that you'll see using Modbus are PLCs, or programmable logic controllers, remote terminal units.
[12:20.620 --> 12:30.650]  There are actually some modems, industrial modems that still use this, as well as parts of some systems with certain types of SMS.
[12:30.650 --> 12:36.890]  And old school paging, which happens to be used in a lot of hospitals still.
[12:37.430 --> 12:44.450]  And there is some safety equipment that is actually used with Modbus, but less and less nowadays.
[12:44.810 --> 12:47.970]  So I'm going to start introducing you to some tools.
[12:47.970 --> 13:03.910]  Because see, Modbus, although some versions of it can run over TCP, IP4, it's not, say, directly translatable, meaning everything is in hexadecimal code.
[13:03.910 --> 13:18.130]  And also a lot of the regular IT-based hacker tools and scanners can't actually reach in really, really deep to see anything past, hey, this port's open.
[13:18.330 --> 13:23.270]  So we have to use some additional tools to get what we need.
[13:23.270 --> 13:36.670]  One of the things I like about the tools that I'll be showing you is the fact that they are absolutely legitimate tools that would not trigger, say, an antivirus alert or a potentially unwanted program.
[13:36.750 --> 13:44.730]  On the contrary, they would be expected to be used as a technician or engineer in many of these different environments.
[13:46.810 --> 13:54.130]  And all of the tools that I'll be showing are free as well if you want to get started.
[13:54.990 --> 14:06.890]  So Chipkin has this wonderful Modbus scanner and what you do is once you can find something that says, hey, I got port 502 open and my banner says Modbus,
[14:06.890 --> 14:17.750]  you go ahead and you plug in the IP address and it will then look even deeper and what it will show you is everything that's on its network behind that IP address.
[14:17.750 --> 14:25.010]  So in this particular case, it isn't just one thing that's at the IP address, it's multiple things that are at the IP address.
[14:25.010 --> 14:30.330]  And we'll also show you different things like functions, which are very important in Modbus.
[14:31.350 --> 14:47.250]  Now, another thing that I like, this one again is free from plcdatatools.com, is once you find an IP address, it will go ahead and scan it and tell you which type is actually running.
[14:47.250 --> 14:54.270]  And sometimes you can get even more information than just what you're seeing right now on your screen.
[14:54.270 --> 15:12.450]  So in this case, I took an IP address and went ahead and scanned and found the firmware version, if it's running, obviously it's running, what the code is, which is a manufacturer code, and also picked up the fact that it is running something called Siemens S7.
[15:12.450 --> 15:30.110]  And this is a proprietary protocol created by Siemens. If you've never heard of Siemens S7, this was the type that was running in the Iranian nuclear enrichment program when Spexnet hit it.
[15:30.110 --> 15:35.640]  So a PLC programmable logic controller running Siemens S7.
[15:35.640 --> 15:50.780]  And this is quite handy, too, because if you find things that have not been updated, which the vast majority have not been updated recently, you can also couple those with various exploits that are known and use them against them.
[15:50.780 --> 16:08.040]  And another thing is because it's kind of slow to do a lot of these security updates and also although Siemens does a lot nowadays for ICS security, you can use some of the exploits on multiple firmware and model numbers.
[16:08.440 --> 16:14.560]  So it's quite groovy to do this. Of course, only do it legally.
[16:14.560 --> 16:29.580]  And to show you, for instance, I ran across this when I was helping with some of the NATO and European Union member state cyber warfare exercises in Brussels not too long ago.
[16:29.580 --> 16:41.640]  And what I found was this is an actual power station that I found using Shodan and when I went to look further with various other tools and of course with permission.
[16:42.000 --> 16:56.280]  On that power plant and on the piece of Modbus hardware that they have, they also had, unfortunately, a remote access Trojan called Extreme RAT installed.
[16:56.280 --> 17:02.720]  And you can see the banner that shows for this particular version of Extreme RAT.
[17:02.720 --> 17:10.440]  So these things are already present and some power stations and water facilities and etc.
[17:10.840 --> 17:22.620]  Now, another very common control protocol is BACnet and many of us have various different types of thermostats that are digital.
[17:22.620 --> 17:27.920]  And this is just one way that you can use BACnet. It's used in a variety of different ways.
[17:28.360 --> 17:37.260]  And if we take a look at this simple thermostat, we can break down what some of the digits actually mean.
[17:37.980 --> 17:45.600]  And what we can do is flip that around and find some of these objects directly connected to the internet.
[17:45.700 --> 17:51.820]  And BACnet does have some security features, but not that many.
[17:52.660 --> 18:00.040]  So if I break down looking at census.io, these are the different types of BACnet fields that you can find,
[18:00.040 --> 18:08.800]  which is quite groovy because if you want to, for instance, look at only certain firmware revisions,
[18:08.800 --> 18:19.960]  or application software revisions, or model names, or vendor IDs, you can go ahead and zoom into these.
[18:19.960 --> 18:27.740]  Because every vendor that uses BACnet, similar to Modbus, has to have a registered vendor ID.
[18:30.380 --> 18:39.500]  So a groovy tool that I like to use with BACnet to look even further is from Contemporary Controls BACnet Discovery Tools.
[18:39.500 --> 18:44.660]  And again, this is free. Unfortunately, most of these tools require Windows.
[18:44.660 --> 18:48.800]  It's because there's a lot of Windows in control environments.
[18:48.800 --> 18:56.460]  And you can install this groovy tool, and it does something similar to the Modbus scanner tool from Chipkin,
[18:56.460 --> 19:02.140]  where it will show everything that's connected on the back end to the BACnet tool.
[19:02.140 --> 19:08.700]  And it will also show, for instance, those object names, which is temperature.
[19:08.700 --> 19:20.950]  And this is quite handy. Also, another thing to add is BACnet uses port 47808 and uses UDP predominantly.
[19:22.360 --> 19:29.080]  So this is a very interesting protocol because it has gotten very, very big.
[19:29.080 --> 19:32.340]  And it is used in all sorts of places.
[19:32.340 --> 19:42.660]  And it's also had some noted security issues where it's taken time for the people behind Tritium to actually issue patches.
[19:43.220 --> 19:46.740]  It is driven on Java, Java, Java.
[19:46.740 --> 19:54.540]  And it could be in your elevator. It could be in a private or police security station.
[19:54.940 --> 19:59.600]  It could be in your airport. Luckily, not many of us can fly, right?
[19:59.600 --> 20:02.820]  It can be in a bit of everywhere.
[20:02.940 --> 20:08.980]  And think about some of the mayhem that could be done if you were able to get into some of these different devices.
[20:10.640 --> 20:14.820]  So it goes kind of by two names, Tritium or Fox Protocol.
[20:14.960 --> 20:18.580]  And on Census, here's some of the things you can pick up on.
[20:18.840 --> 20:24.900]  You can pick up on the application version, so you can go ahead and map that to any known exploits.
[20:24.900 --> 20:33.800]  Or actually download the package yourself and then in your home lab, of course, with permission.
[20:34.040 --> 20:38.860]  You can start fooling around with some of this stuff to see what else you can find.
[20:38.860 --> 20:47.200]  You can do the host ID, which is quite handy in many different ways, the ID version, station name, etc.
[20:47.520 --> 20:53.700]  And you can do a lot with this particular profile, excuse me, protocol.
[20:53.700 --> 20:56.620]  So I like to have a lot of fun with Fox.
[20:57.640 --> 21:02.940]  And one of the ways that you can look at some of these systems, with permission, of course,
[21:02.940 --> 21:07.940]  is there is a free product for download. This will also run on Linux.
[21:08.980 --> 21:18.660]  And what it does is it's open source, Java based, and it will basically connect to any embedded system that's running it.
[21:18.660 --> 21:26.920]  And it tries to keep it vendor neutral, so it won't just be vendor A, B, and C, but not D.
[21:26.920 --> 21:29.480]  It will basically connect to anything.
[21:29.620 --> 21:37.860]  And even though there are some security settings, a lot of organizations have not actually set them up.
[21:37.860 --> 21:40.980]  Yay! Please help me.
[21:41.720 --> 21:47.200]  And in addition to that, I wanted to list a few more tools that might interest you.
[21:47.200 --> 22:01.640]  And these are free. Chipkin is an organization that does a lot with technicians that deal with MacNet, Modbus, and a few other, we'll say, more industrial IoT and control systems.
[22:01.640 --> 22:08.620]  And they've got a bevy of tools, which is fantastic, because they also do not security test their tools.
[22:08.620 --> 22:16.620]  And you can weaponize them even further, if you would like, in a controlled manner, legally only.
[22:17.460 --> 22:20.000]  I am not a lawyer. Remember that.
[22:21.000 --> 22:27.000]  So, not long ago, I got this very interesting offer.
[22:27.300 --> 22:33.500]  And one thing to remember about control systems, it's similar to what you may have heard of with cars.
[22:33.560 --> 22:38.100]  A can bus is a can bus. Well, a control system is also a control system.
[22:38.100 --> 22:41.340]  So even boats have these different things.
[22:41.340 --> 22:49.640]  So when I talk about a boat, it's a really big boat, like liquid gas transport or cargo ships.
[22:50.140 --> 22:59.700]  And there was an organization I was working with as an advisor that specialized in maritime security.
[23:00.200 --> 23:03.340]  And they were trying to get the cyber part started.
[23:03.340 --> 23:10.880]  The majority of the stuff they did was maritime intelligence, trying to find ships that go dark on purpose,
[23:10.880 --> 23:17.380]  turning off their identification transponders so they can, I don't know, smuggle arms, people,
[23:17.380 --> 23:23.580]  refuse to rescue people in the Mediterranean, if they're refugees, little things like that.
[23:23.580 --> 23:34.760]  So we got an offer to hack a very, very large boat worth almost 200 million pounds.
[23:35.240 --> 23:44.080]  And of course, me thinking, hmm, what are all of the lovely things that could go wrong with a very, very large boat?
[23:44.480 --> 23:52.620]  So I made a few conditions. One of them was when we stole the boat, I got to wear an eyepatch.
[23:52.620 --> 24:02.720]  Secondly, I got to say, once the boat was, I should say, liberated, I got to say, look at me, look at me.
[24:02.720 --> 24:06.460]  I am the captain now, wearing my eyepatch.
[24:06.460 --> 24:18.200]  And one of the things you have to remember about maritime is there's a lot of legacy stuff, just like industrial protection systems.
[24:18.200 --> 24:30.580]  So fun fact, really big ships, their control mechanism is actually controlled via the civilian band of GPS.
[24:30.580 --> 24:39.800]  And there are already known ways to exploit the civilian band. These are not tied to the military GPS control.
[24:39.800 --> 24:52.970]  So the captain of a ship does control the ship. However, the majority of where the ship goes is actually controlled with the civilian GPS control system.
[24:53.520 --> 25:08.580]  Another thing about maritime is a lot of them use different forms of something called Windows CE, which depending on the age of the ship and the last time it's been retrofitted,
[25:08.580 --> 25:21.800]  it could be using versions that are based off of Windows XP, Windows 7, and only the newest and greatest stuff is going to be based off of Windows 10.
[25:21.960 --> 25:34.020]  And one of the things that concerns many people about Windows CE is it is for embedded systems and it's in compact edition.
[25:34.020 --> 25:44.900]  It doesn't have all the bells and whistles. So out of the box, it's not going to be logging everything that you would expect with professional edition.
[25:44.920 --> 25:53.060]  It's also going to be slower to patch from Microsoft because they know that a lot of industrial systems use these.
[25:54.540 --> 26:02.240]  And there's a bevy of wonderful mayhem that can be done with various different types of Windows CE.
[26:02.240 --> 26:11.040]  Another thing to consider when we're talking about maritime is there are multiple entry and exit points on a large ship.
[26:11.040 --> 26:15.740]  They have to keep in contact with a lot of different things.
[26:15.740 --> 26:28.200]  There's something called the AIS system, two different forms that was mandated for larger ships to use to avoid hitting other ships, which is kind of nice.
[26:28.200 --> 26:36.480]  But it also automatically has contacts with things like buoys, land stations, and other things.
[26:36.480 --> 26:48.160]  And the AIS protocol... background, I've been building a few tools because I know that there are various security issues with that particular protocol.
[26:48.160 --> 26:55.320]  And that's one of the ways that the ship in question was liberated.
[26:56.240 --> 27:03.640]  Then you also have VSAT systems, UHF systems sometimes, and different other types of communications.
[27:04.780 --> 27:12.900]  And one of the problems with these is, again, they might be legacy, but also the manufacturers are not in the security business.
[27:12.900 --> 27:24.620]  So I can find, for instance, VSAT systems directly connected to the internet that's giving way too much information that could then be turned around and remotely controlled.
[27:24.620 --> 27:27.890]  Because they're exploitable in many cases.
[27:28.340 --> 27:39.480]  And even where there is security, several of the major manufacturers for some of these, including some of the 3G, 4G modems that are also in use with the larger ships,
[27:39.480 --> 27:47.910]  is they'll use what's called known private keys, which equals, I tried to encrypt, but not really.
[27:48.240 --> 27:51.580]  So even boats can be yours.
[27:51.580 --> 27:56.840]  Now, many of us are not in Vegas. I'm in my tiny house in Amsterdam.
[27:57.260 --> 28:03.420]  And we've done a lot of increased teleworking. Everything is remote now.
[28:03.420 --> 28:06.340]  Here's a new hashtag, bring your own house.
[28:06.340 --> 28:17.440]  Because the regular, say, office or power plant security is now in your living room or in your home office.
[28:17.440 --> 28:25.780]  Many people have to share their home network with their partners, their Roomba, in my case, my partner,
[28:25.780 --> 28:33.360]  children, or especially if you're stealing your neighbor's Wi-Fi to watch this presentation right now.
[28:33.400 --> 28:37.340]  But when you have to do work, let's say you're doing sensitive stuff.
[28:37.340 --> 28:44.800]  Let's say you are a process engineer that can't go into your place of work and have to do things more and more remote.
[28:44.800 --> 28:48.800]  Guess what? Your infrastructure could be mine.
[28:49.240 --> 28:54.500]  Because one of the problems is when things are rapidly set up, especially during a pandemic,
[28:54.500 --> 28:59.520]  they might not be using the newest, greatest, most patched and updated things.
[29:00.320 --> 29:04.900]  And another thing to consider is a lot of production and industrial systems,
[29:04.900 --> 29:09.680]  the manufacturers will just pick one out of the air, Honeywell, for example,
[29:09.680 --> 29:12.500]  they'll say, hey, we have all this equipment at your plant.
[29:12.680 --> 29:19.520]  But to maintain the warranty on the service agreement, when you paid all this money for this plant,
[29:19.520 --> 29:28.180]  we need a direct connection to constantly pull data and look at the infrastructure to make sure everything is working correctly.
[29:28.640 --> 29:32.800]  By the way, we're going to use a really old version of BNC.
[29:32.800 --> 29:39.580]  And all of our technicians use the same exact credentials to connect to all of our worldwide customers.
[29:39.580 --> 29:44.180]  Yay! Otherwise known as a technician backdoor in these cases.
[29:44.180 --> 29:47.980]  And if you say, hey, Honeywell, you know, that's not very secure.
[29:47.980 --> 29:50.580]  And they're like, hey, you know what's even less secure?
[29:51.300 --> 29:55.060]  Not having a warranty on all of your hardware.
[29:55.260 --> 30:00.060]  And you're like, oh, yeah, we'll be using that old version of BNC.
[30:02.080 --> 30:08.120]  So with this wonderful 2020 trying to kill this pandemic really hit,
[30:08.120 --> 30:16.240]  I went ahead and scanned the Internet and took the top 10 countries with assets that say hello to the Internet.
[30:16.440 --> 30:23.400]  And that's in the yellowish. I'm not sure how much you can see because of the big DEF CON logo.
[30:23.400 --> 30:34.060]  And in the orangish bar, those are remote only access protocols that I was looking for and also certain versions.
[30:34.060 --> 30:41.600]  Like older versions of SSH, FTP, remote desktop protocol, etc.
[30:41.720 --> 30:49.700]  So what I found was, for instance, the United States has 47,500,000 assets.
[30:49.700 --> 30:55.860]  Out of those assets, when I was looking only for known exploitable remote access vulnerabilities,
[30:56.280 --> 31:04.640]  there were almost 12.5 million ones that I could find for the United States, which is not a great ratio.
[31:04.680 --> 31:10.400]  However, I will say that some of the assets that I scanned, they can have multiple vulnerabilities.
[31:11.360 --> 31:20.080]  Looking at between the U.S. and China, China has almost 8.5 million assets on the Internet that say hello,
[31:20.080 --> 31:26.640]  but almost 5 million of those are remotable with no exploits and vulnerabilities in them.
[31:27.300 --> 31:38.880]  The one country that did fairly well was actually the United Kingdom with their ratio between assets and exploitable vulnerabilities.
[31:38.880 --> 31:45.540]  And one of the reasons for that was several years ago, they did something very fantastic.
[31:45.540 --> 31:55.580]  They instituted this thing, a cyber program for anyone doing business with the U.K. and also critical infrastructure,
[31:55.580 --> 32:04.140]  had to really take a look at their stuff and go ahead and pass an audit, in most cases a self-audit,
[32:04.140 --> 32:08.200]  depending on your level of access with the government and also critical infrastructure.
[32:08.200 --> 32:17.540]  And they were able to get a head start and so they actually are doing fairly well in comparison to the rest of the top tenors.
[32:18.560 --> 32:27.820]  So another thing that we have to consider is because things are now industrial IoT devices or IoT devices,
[32:27.820 --> 32:33.940]  this means that you can have a control system that is IoT enabled.
[32:33.940 --> 32:39.220]  Now in this case, I like to take a look at Tesla stuff because I just do.
[32:39.560 --> 32:50.100]  And you can actually use census.io, what I call census.org, to find various Tesla power walls.
[32:50.100 --> 32:57.820]  And what's interesting about this is even though Tesla has some security, it's still single factor authentication.
[32:57.820 --> 33:04.160]  There's still a web interface. The customer doesn't necessarily have to set up any real security.
[33:04.160 --> 33:10.120]  So there's admin-admin kind of stuff, depending on the version of the software.
[33:10.120 --> 33:20.280]  Tesla does not force down updates like Windows 10 or their cars, so there are a lot of old versions.
[33:20.280 --> 33:25.640]  And what you can actually pull back is the configuration of the power walls.
[33:25.780 --> 33:34.920]  Versions, timestamps, showing the last login, how long it's been up, if it's updating or not, and a bevy of other diagnostic information.
[33:35.200 --> 33:47.560]  And what's unfortunate is if you're able to get into some of these systems, which you can, you can do more nefarious things.
[33:47.560 --> 33:57.320]  Like imagine a region of power walls that suddenly all of their electricity got dumped on the energy grid. That would be a very bad thing.
[33:57.320 --> 34:05.600]  Or if it was connected to some sort of crucial hardware, that would be a bad thing.
[34:05.600 --> 34:14.260]  And in this particular case, this one was connected to a crane. Who doesn't want to own their own crane? Well, you can too.
[34:14.260 --> 34:28.920]  So, you have to understand that if it's running a web server, I don't care if it's a power bank or a piece of industrial equipment or whatever, you can hack it like a web server. Remember that.
[34:29.720 --> 34:37.700]  So, I do a lot in aviation. Sometimes that's good, sometimes they hate me.
[34:38.580 --> 34:45.560]  So, either way, you know, so there are various ways to get into various things.
[34:45.560 --> 34:50.660]  And one of the dangers that we have is a lot of remote desktop protocol.
[34:50.660 --> 35:02.940]  You can actually buy exploited systems on the scary dark web from a dollar to ten dollars a piece if they have RDP.
[35:02.940 --> 35:07.400]  Ten dollars is for typically U.S. military assets that are found.
[35:07.400 --> 35:17.840]  In this case, this one belongs to Airbus, where luckily the admin happens to be logged in. I wonder what the password might be.
[35:18.260 --> 35:24.900]  And the CN is actually the certificate, which I could match up to absolutely belonging to Airbus.
[35:25.040 --> 35:34.980]  Another fun fact is depending on the aircraft, some Airbus aircraft actually use Windows CE in their aircraft. Yay!
[35:36.360 --> 35:46.440]  So, I'm not sure you may or may not have heard much about Boeing other than some of their planes like to fall from the sky because they have software issues.
[35:46.660 --> 36:00.700]  And starting last year, one of the things I did, and by the way, hi Boeing, I know you still want to put me in jail, was that I took a look around some of their infrastructure and found that it was incredibly bad.
[36:00.700 --> 36:09.980]  For instance, at the time, Boeing.com and its websites didn't even use HTTPS or any encryption for their websites.
[36:09.980 --> 36:12.960]  And this included login systems. Yay!
[36:13.640 --> 36:22.160]  I was able to get into the R&D section of their flight control software, which also included the 737 MAX aircraft,
[36:22.160 --> 36:34.360]  because to authenticate, I was using Firefox with no script running, and the website had a message, you are not running scripts, please press this button.
[36:34.360 --> 36:38.540]  Press the button. I was in! How awesome is that?
[36:38.660 --> 36:49.440]  There were, you know, six cross-site scripting vulnerabilities in the live in-production flight control aviation ID system. Woo-hoo-hoo! Right?
[36:49.440 --> 36:58.500]  And the interesting thing about this is, if you can get into the flight control system or software, and you know what you are doing,
[36:59.620 --> 37:05.660]  the process is, the technician will download what's needed for their aircraft, put it on a maintenance laptop,
[37:05.660 --> 37:11.360]  that maintenance laptop then plugs into the aircraft itself, into the flight control system.
[37:11.360 --> 37:21.680]  So imagine some of the mayhem that you could do, because Boeing had zero effort and zero knowledge in security.
[37:21.980 --> 37:30.760]  Funny enough, they do sell cyber security services as consultants to the U.S. government.
[37:30.760 --> 37:35.340]  However, I guess they never ate their own dog food and looked at their own stuff.
[37:35.340 --> 37:41.640]  There were even hard-coded credentials in an older version of SAML that you could easily decode.
[37:41.960 --> 37:49.540]  The response from Boeing was, you're a criminal, harassment, no bug bounty.
[37:50.460 --> 37:58.160]  And it was only after my 59-page report went through and it got media attention after a disclosure period
[37:58.160 --> 38:07.060]  that they were forced to start their first vulnerability disclosure program, which they said it was based on my report.
[38:07.060 --> 38:13.820]  However, as far as I'm aware, Boeing still gives zero bug bounty awards.
[38:15.100 --> 38:19.360]  So agriculture is nice, because I think all of us like to eat.
[38:19.360 --> 38:27.660]  This is an instance where it's a control system that is now an industrial IoT system that is hanging on the Internet,
[38:27.660 --> 38:33.500]  that has a web server that has never been security tested, with no authentication.
[38:33.700 --> 38:41.540]  And it happens to be a European fish farm, a salmon farm to be exact.
[38:41.540 --> 38:48.760]  And you can actually, in real life, press the buttons, and you can modify the operations of this.
[38:49.920 --> 39:02.920]  So, we like water. Mexichem is actually a major bottled water provider, manufacturer, amongst other things, in Latin America and South Africa.
[39:02.920 --> 39:05.400]  They do a lot of stuff.
[39:05.480 --> 39:10.400]  So, I was looking around, because I get curious and bored.
[39:10.400 --> 39:19.700]  And I was very quickly able to find, because they allowed LDAP to be exposed to the Internet,
[39:19.700 --> 39:33.860]  I found 24 pages of assets from the IT side on the business level, all the way down to on the control level for their Windows-based SCADA systems.
[39:33.860 --> 39:46.740]  And this was rather unfortunate, because some of the systems that I was able to find was this wonderful, what's called HMI, Human Machine Interface,
[39:46.740 --> 39:51.720]  the same exact version that was vulnerable to some of the black energy attacks.
[39:51.920 --> 39:56.580]  And you didn't actually have to log in, because it was never set up correctly.
[39:56.580 --> 40:00.920]  I could access the drives that it was attached to.
[40:00.920 --> 40:12.420]  I could import and delete recipes, which is actually the production recipe of what the machinery will be doing.
[40:12.420 --> 40:17.240]  And I could just click as many buttons as I wanted to.
[40:17.240 --> 40:28.420]  I could even export the administration data, all at the touch of my fingertips from my comfortable, small Amsterdam house.
[40:29.200 --> 40:42.740]  And MexiChem also produces various different types of chemicals, some of which are more controlled, so that they don't fall in the hands of really bad people who want to make things go boom.
[40:43.840 --> 40:50.360]  So another thing to consider is we're talking about IoT systems.
[40:50.360 --> 40:53.720]  They can be anywhere.
[40:53.760 --> 40:55.960]  They could be inside a hospital.
[40:55.960 --> 40:57.640]  They could be on sensitive networks.
[40:57.640 --> 41:02.480]  They could be at nuclear physics labs in Russia.
[41:03.400 --> 41:11.280]  And they could also be inside control systems, so that you can actually, you know, use a printer.
[41:11.280 --> 41:18.960]  And so I was able to have a bit of fun, again, being bored.
[41:18.960 --> 41:20.680]  Don't ever let me get bored.
[41:20.680 --> 41:29.540]  And use Census and a few other scanning tools to quickly find as many particular printers as possible.
[41:30.160 --> 41:39.940]  It stemmed from the fact I was having a problem with my printer, and I downloaded the Brother admin tool, which covers almost all of their models.
[41:39.940 --> 41:43.800]  And I noticed that it had never been security tested.
[41:43.800 --> 41:51.420]  So I went ahead and flipped it around and turned it into a dual-use weaponized piece of admin tool.
[41:51.640 --> 41:58.580]  And a lot of these printers will have web interfaces.
[41:58.580 --> 42:05.420]  So I had a lot of fun with cross-site scripting, but most of my fun came from using the admin tool.
[42:05.420 --> 42:20.120]  See, once you find one of these printers, it's not that difficult to find, you can use the free Brother admin tool, go ahead and put in the IP address, and then connect to somebody else's printer anywhere in the world.
[42:20.120 --> 42:32.260]  You can see how much ink they have, you can even order, if it's set up in their printer, ink and toner supplies, because, hey, toner's worth more than platinum.
[42:32.980 --> 42:39.080]  And you can also send files directly to the printer.
[42:39.260 --> 42:51.200]  So I had a lot of fun with this, but unfortunately, Brother, like most printer manufacturers, do not have a vulnerability disclosure program.
[42:51.200 --> 43:02.660]  Nor did they ever think that you could use this lovely free tool, available now to download, and you can weaponize it and really make printers' lives uncomfortable.
[43:03.140 --> 43:16.900]  Bonus item, if it's a multifunctional printer that's more of the commercial variety that has a hard drive installed, and, say, Human Resources uses it as a scanner for different types of identification systems,
[43:16.900 --> 43:26.820]  you can even access the hard drive where it saves those scans and get all sorts of personally identifiable information and health data just by using this tool.
[43:27.320 --> 43:42.520]  So, I like space, and one of the things that is a bit problematic is, just like regular industrial systems, once you put something in space, it's expected to last a while.
[43:42.520 --> 43:53.400]  There's even a space satellite that is in a very interesting orbit that is up there for over 50 years. There's a lot of legacy stuff.
[43:53.800 --> 44:02.180]  Once you put something up there, it's not like you can go, hey, guess what? We've got this new type of encryption. You know what? It needs a chip to be able to process it.
[44:02.180 --> 44:20.900]  We're just going to replace that chip in the satellite. That doesn't happen. And what we did last year was, in the United Kingdom, thanks to Oxford, who funded it, and De Montfort University, we held the first space hackathon at Royal Holloway University
[44:20.900 --> 44:39.740]  to discuss these things with cleared PhD students who were given a lot of information by myself and others on some of the problems with current and new space assets, because they're really industrial IoT devices, and how to combat some of those problems.
[44:39.740 --> 45:06.880]  Because encryption might not be there. I believe it was only the year before last that the FTC mandated that new space assets actually had to have the ability to use encryption. And we've seen some satellite systems being used in various cyber crime attacks and malware, because if you can put one of your hops and traceability on a satellite, it kind of makes it a bit hard to see who's actually behind different things.
[45:06.880 --> 45:29.840]  So a lot of cool stuff came out of this hackathon. PhD students were absolutely fantastic and energetic. They listed a lot of very pertinent risks that we had to consider, such as the current UN space treaties do not cover private companies when it comes to warfare. It only covers nation states.
[45:29.840 --> 45:55.060]  And the fact that some major players in the market, if you want to watch a great older movie, I believe it's called Moonraker, it's a James Bond movie, where a really rich guy with way too much money decides to go into space and then try to take over the world by going to war in space as a private company.
[45:55.060 --> 46:10.460]  And so some of the risks listed were, for example, Elon Musk and his program, because anyone can turn evil and he already thinks that the pyramids were created by aliens.
[46:10.460 --> 46:30.620]  So to give a brief example, you can actually find some of these systems. Now, there's different ways that you can find various space IoT systems. A lot of them you'll find are actually land systems that then communicate up, but those land systems, they can actually unfortunately be hacked.
[46:30.620 --> 46:54.340]  In this particular case, I was able to find a relay connection up to a satellite. And I didn't want to give away too much information because they have not gotten back to me. I was able to find this particular device was running my favorite protocol Modbus with no authentication. It could give the device ID, function codes, and all sorts of information about it.
[46:54.340 --> 47:22.720]  And by looking into various user manuals that are freely available, I was able to find that it was called a sunny string monitor that was attached to the satellite. And what it does is it looks for sun and goes ahead and opens a solar array on a satellite system to give a power or closes it down when there's nothing available or can move it around a little bit. So imagine what you could do with that.
[47:24.500 --> 47:38.760]  Why is this kind of important? Last month, the United Nations Institute for Disarmament Research asked me to give a presentation, a closed dialogue session to permanent member states with other member states as observers.
[47:38.760 --> 47:59.460]  And I brought up the fact that we need to be a lot more proactive. And although the United Nations in 2015 established that member states are responsible for securing their ICT cyberspace, that also includes space assets, that also includes industrial systems, etc.
[48:00.920 --> 48:16.420]  They agreed to establish a computer emergency response team. And that's well and good. It's fantastic. It's much needed. But that also is very, very reactive and constantly you're putting out fires. So it's very difficult for you to be proactive.
[48:16.420 --> 48:41.500]  So I brought up with them that I'm currently working with part of the European Union to actually establish their first proactive computer emergency protection team, a CEPT. And CERT step one, step two, to try to alleviate some of the burden and also try to catch things as quickly as possible before they become major incidents.
[48:41.500 --> 49:10.240]  Now back in 2009, this is also another reason why it's kind of important, is I detected a cyber warfare attack, the second wave of such attacks caused by malware that the North Koreans created. One of the things they did was they leveraged higher speed bandwidth in Northern Europe to go ahead and have those various devices aim at the South Korean infrastructure and also part of the infrastructure of the United States.
[49:10.240 --> 49:22.820]  So they attacked the South Korean version of the White House and also the U.S. version of the White House. They tried to affect the New York Stock Exchange and a lot of other very important places.
[49:22.820 --> 49:43.200]  And because we were also monitoring in my shop ICS systems that had internet connectivity, we found that some of the Windows-based stuff actually was also affected and was trying to take down part of South Korea and the U.S.
[49:43.200 --> 50:06.200]  So you can actually, unfortunately, weaponize with various types of malware, IT, IoT, and ICS as we keep seeing. But even in 2009, 11 years ago, we were seeing this type of stuff. So we need to take it much more seriously with the vendors as well as the critical infrastructure operators and get the tech community involved.
[50:06.200 --> 50:22.320]  Because academia is great, government experts are fantastic, but it's us and you watching this that have that hacker mentality and can actually express it and find ways in and out that others can't.
[50:22.320 --> 50:38.360]  So with that, I will be available on Discord for questions. Hopefully I get the right Discord channel. I wanted to give a huge shout out to Omar at Santo Omar and the Red Team Village for inviting me.
[50:38.520 --> 50:48.300]  If you also would like to contact me about things that are going on in the Middle East, I believe my contact information is now on the Middle East Institute's website.
[50:48.300 --> 51:03.880]  And feel free to contact me on Twitter and I take DMs. Just no weird pictures. No weird sexy time pictures. Let me stress that. I love pictures of cats. So thank you very, very much, Red Team Village. It is greatly appreciated.
[51:04.480 --> 51:26.880]  Thank you so much for supporting us and for the great presentation. You're getting a lot of kudos in Discord. So talking about Discord, if you're joining us, you can see the link in the bottom of the screen. There's a link to a website where it has a lot of other information about speakers along with all the activities that are happening, of course, in DEF CON.
[51:26.880 --> 51:39.000]  So with that said, we're going to go on a break for a few minutes and then the next presentation will be up in probably about 15 to 20 minutes. So thank you again, Chris. Great presentation. Have a nice one.
[51:39.000 --> 51:40.040]  All right. Cheers.
